Make it possible to retry setting a PIN, if previous entry does not conform to the PIN policy

msirringhaus · msirringhaus · commit e31cecd0f00c · 2026-02-12T14:33:15.000+01:00
diff --git a/credentialsd-common/src/model.rs b/credentialsd-common/src/model.rs
@@ -112,13 +112,18 @@ pub struct RequestingParty {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum ViewUpdateFailure {
     GeneralFailure(String),
+    /// Request required UV, but it was not set on the device yet
     PinNotSet(String),
+    /// User tried to set PIN, but it was too short
+    PinPolicyViolation(String),
 }
 
 impl ViewUpdateFailure {
     pub fn into_string(self) -> String {
         match self {
-            ViewUpdateFailure::GeneralFailure(msg) | ViewUpdateFailure::PinNotSet(msg) => msg,
+            ViewUpdateFailure::GeneralFailure(msg)
+            | ViewUpdateFailure::PinNotSet(msg)
+            | ViewUpdateFailure::PinPolicyViolation(msg) => msg,
         }
     }
 }
@@ -276,6 +281,8 @@ pub enum Error {
     PinAttemptsExhausted,
     /// The RP requires user verification, but the device has no PIN/Biometrics set.
     PinNotSet,
+    /// The device declined the entered PIN, as it violates the PIN policy (e.g. PIN too short)
+    PinPolicyViolation,
     // TODO: We may want to hide the details on this variant from the public API.
     /// Something went wrong with the credential service itself, not the authenticator.
     Internal(String),
@@ -288,6 +295,7 @@ impl Display for Error {
         match self {
             Self::AuthenticatorError => f.write_str("AuthenticatorError"),
             Self::PinNotSet => f.write_str("PinNotSet"),
+            Self::PinPolicyViolation => f.write_str("PinPolicyViolation"),
             Self::NoCredentials => f.write_str("NoCredentials"),
             Self::CredentialExcluded => f.write_str("CredentialExcluded"),
             Self::PinAttemptsExhausted => f.write_str("PinAttemptsExhausted"),
diff --git a/credentialsd-common/src/server.rs b/credentialsd-common/src/server.rs
@@ -220,6 +220,7 @@ impl TryFrom<&Value<'_>> for crate::model::Error {
         let err = match err_code {
             "AuthenticatorError" => crate::model::Error::AuthenticatorError,
             "PinNotSet" => crate::model::Error::PinNotSet,
+            "PinPolicyViolation" => crate::model::Error::PinPolicyViolation,
             "NoCredentials" => crate::model::Error::NoCredentials,
             "CredentialExcluded" => crate::model::Error::CredentialExcluded,
             "PinAttemptsExhausted" => crate::model::Error::PinAttemptsExhausted,
@@ -438,6 +439,7 @@ impl TryFrom<&Structure<'_>> for crate::model::UsbState {
                 let err = match err_code {
                     "AuthenticatorError" => crate::model::Error::AuthenticatorError,
                     "PinNotSet" => crate::model::Error::PinNotSet,
+                    "PinPolicyViolation" => crate::model::Error::PinPolicyViolation,
                     "NoCredentials" => crate::model::Error::NoCredentials,
                     "CredentialExcluded" => crate::model::Error::CredentialExcluded,
                     "PinAttemptsExhausted" => crate::model::Error::PinAttemptsExhausted,
@@ -561,6 +563,7 @@ impl TryFrom<&Structure<'_>> for crate::model::NfcState {
                 let err = match err_code {
                     "AuthenticatorError" => crate::model::Error::AuthenticatorError,
                     "PinNotSet" => crate::model::Error::PinNotSet,
+                    "PinPolicyViolation" => crate::model::Error::PinPolicyViolation,
                     "NoCredentials" => crate::model::Error::NoCredentials,
                     "CredentialExcluded" => crate::model::Error::CredentialExcluded,
                     "PinAttemptsExhausted" => crate::model::Error::PinAttemptsExhausted,
diff --git a/credentialsd-ui/po/credentialsd-ui.pot b/credentialsd-ui/po/credentialsd-ui.pot
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: credentialsd-ui\n"
 "Report-Msgid-Bugs-To: \"https://github.com/linux-credentials/credentialsd/"
 "issues\"\n"
-"POT-Creation-Date: 2026-02-11 14:31+0100\n"
+"POT-Creation-Date: 2026-02-12 14:18+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -21,7 +21,7 @@ msgstr ""
 
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.desktop.in.in:2
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.metainfo.xml.in.in:8
-#: src/gui/view_model/gtk/mod.rs:400
+#: src/gui/view_model/gtk/mod.rs:401
 msgid "Credential Manager"
 msgstr ""
 
@@ -140,8 +140,8 @@ msgstr ""
 msgid "Something went wrong."
 msgstr ""
 
-#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:310
-#: src/gui/view_model/mod.rs:370
+#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:315
+#: src/gui/view_model/mod.rs:380
 msgid ""
 "Something went wrong while retrieving a credential. Please try again later "
 "or use a different authenticator."
@@ -189,11 +189,11 @@ msgstr ""
 msgid "Device connected. Follow the instructions on your device"
 msgstr ""
 
-#: src/gui/view_model/gtk/mod.rs:332
+#: src/gui/view_model/gtk/mod.rs:333
 msgid "Insert your security key."
 msgstr ""
 
-#: src/gui/view_model/gtk/mod.rs:351
+#: src/gui/view_model/gtk/mod.rs:352
 msgid "Multiple devices found. Please select with which to proceed."
 msgstr ""
 
@@ -259,26 +259,32 @@ msgstr ""
 msgid "Failed to select credential from device."
 msgstr ""
 
-#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:358
+#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:363
 msgid "No matching credentials found on this authenticator."
 msgstr ""
 
-#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:362
+#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:367
 msgid ""
 "No more PIN attempts allowed. Try removing your device and plugging it back "
 "in."
 msgstr ""
 
-#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:366
+#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:371
 msgid ""
 "This server requires your device to have additional protection like a PIN, "
 "which is not set. Please set a PIN for this device and try again."
 msgstr ""
 
-#: src/gui/view_model/mod.rs:315 src/gui/view_model/mod.rs:375
+#: src/gui/view_model/mod.rs:310 src/gui/view_model/mod.rs:375
+msgid ""
+"The entered PIN violates the PIN-policy of this device (likely too short). "
+"Please try again."
+msgstr ""
+
+#: src/gui/view_model/mod.rs:320 src/gui/view_model/mod.rs:385
 msgid "This credential is already registered on this authenticator."
 msgstr ""
 
-#: src/gui/view_model/mod.rs:424
+#: src/gui/view_model/mod.rs:434
 msgid "Something went wrong. Try again later or use a different authenticator."
 msgstr ""
diff --git a/credentialsd-ui/po/de_DE.po b/credentialsd-ui/po/de_DE.po
@@ -3,7 +3,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \"https://github.com/linux-credentials/credentialsd/"
 "issues\"\n"
-"POT-Creation-Date: 2026-02-11 14:31+0100\n"
+"POT-Creation-Date: 2026-02-12 14:18+0100\n"
 "PO-Revision-Date: 2025-10-10 14:45+0200\n"
 "Last-Translator: Martin Sirringhaus <martin.sirringhaus@suse.com>\n"
 "Language: de_DE\n"
@@ -14,7 +14,7 @@ msgstr ""
 
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.desktop.in.in:2
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.metainfo.xml.in.in:8
-#: src/gui/view_model/gtk/mod.rs:400
+#: src/gui/view_model/gtk/mod.rs:401
 msgid "Credential Manager"
 msgstr "Zugangsdatenmanager"
 
@@ -128,8 +128,8 @@ msgstr "Fertig!"
 msgid "Something went wrong."
 msgstr "Etwas ist schief gegangen."
 
-#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:310
-#: src/gui/view_model/mod.rs:370
+#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:315
+#: src/gui/view_model/mod.rs:380
 msgid ""
 "Something went wrong while retrieving a credential. Please try again later "
 "or use a different authenticator."
@@ -183,11 +183,11 @@ msgstr ""
 msgid "Device connected. Follow the instructions on your device"
 msgstr "Verbindung hergestellt. Folgen Sie den Anweisungen auf Ihrem Gerät."
 
-#: src/gui/view_model/gtk/mod.rs:332
+#: src/gui/view_model/gtk/mod.rs:333
 msgid "Insert your security key."
 msgstr "Stecken Sie Ihren Security-Token ein."
 
-#: src/gui/view_model/gtk/mod.rs:351
+#: src/gui/view_model/gtk/mod.rs:352
 msgid "Multiple devices found. Please select with which to proceed."
 msgstr "Mehrere Geräte gefunden. Bitte wählen Sie einen aus, um fortzufahren."
 
@@ -259,19 +259,19 @@ msgstr ""
 msgid "Failed to select credential from device."
 msgstr "Zugangsdaten vom Gerät konnten nicht ausgewählt werden."
 
-#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:358
+#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:363
 msgid "No matching credentials found on this authenticator."
 msgstr "Keine passenden Zugangsdaten auf diesem Gerät gefunden."
 
-#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:362
+#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:367
 msgid ""
 "No more PIN attempts allowed. Try removing your device and plugging it back "
 "in."
 msgstr ""
 "Keine weiteren PIN-Eingaben erlaubt. Versuchen Sie ihr Gerät aus- und wieder "
 "einzustecken."
 
-#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:366
+#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:371
 msgid ""
 "This server requires your device to have additional protection like a PIN, "
 "which is not set. Please set a PIN for this device and try again."
@@ -280,11 +280,19 @@ msgstr ""
 "einen PIN. Bitte setzen Sie einen PIN für ihr Gerät und versuchen Sie es "
 "erneut."
 
-#: src/gui/view_model/mod.rs:315 src/gui/view_model/mod.rs:375
+#: src/gui/view_model/mod.rs:310 src/gui/view_model/mod.rs:375
+msgid ""
+"The entered PIN violates the PIN-policy of this device (likely too short). "
+"Please try again."
+msgstr ""
+"Der eingegebene PIN entspricht nicht den PIN-Bestimmungen des Geräts (z.B. "
+"zu kurz). Bitte versuchen Sie es erneut."
+
+#: src/gui/view_model/mod.rs:320 src/gui/view_model/mod.rs:385
 msgid "This credential is already registered on this authenticator."
 msgstr "Diese Zugangsdaten sind bereits auf diesem Gerät registriert."
 
-#: src/gui/view_model/mod.rs:424
+#: src/gui/view_model/mod.rs:434
 msgid "Something went wrong. Try again later or use a different authenticator."
 msgstr ""
 "Es ist ein Fehler aufgetreten. Bitte versuchen Sie es später noch einmal, "
diff --git a/credentialsd-ui/po/en_US.po b/credentialsd-ui/po/en_US.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \"https://github.com/linux-credentials/credentialsd/"
 "issues\"\n"
-"POT-Creation-Date: 2026-02-11 14:31+0100\n"
+"POT-Creation-Date: 2026-02-12 14:18+0100\n"
 "PO-Revision-Date: 2025-10-10 14:45+0200\n"
 "Last-Translator: Martin Sirringhaus <martin.sirringhaus@suse.com>\n"
 "Language: en_US\n"
@@ -13,7 +13,7 @@ msgstr ""
 
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.desktop.in.in:2
 #: data/xyz.iinuwa.credentialsd.CredentialsUi.metainfo.xml.in.in:8
-#: src/gui/view_model/gtk/mod.rs:400
+#: src/gui/view_model/gtk/mod.rs:401
 msgid "Credential Manager"
 msgstr "Credential Manager"
 
@@ -129,8 +129,8 @@ msgstr "Done!"
 msgid "Something went wrong."
 msgstr "Something went wrong."
 
-#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:310
-#: src/gui/view_model/mod.rs:370
+#: data/resources/ui/window.ui:304 src/gui/view_model/mod.rs:315
+#: src/gui/view_model/mod.rs:380
 msgid ""
 "Something went wrong while retrieving a credential. Please try again later "
 "or use a different authenticator."
@@ -182,11 +182,11 @@ msgstr ""
 msgid "Device connected. Follow the instructions on your device"
 msgstr "Device connected. Follow the instructions on your device"
 
-#: src/gui/view_model/gtk/mod.rs:332
+#: src/gui/view_model/gtk/mod.rs:333
 msgid "Insert your security key."
 msgstr "Insert your security key."
 
-#: src/gui/view_model/gtk/mod.rs:351
+#: src/gui/view_model/gtk/mod.rs:352
 msgid "Multiple devices found. Please select with which to proceed."
 msgstr "Multiple devices found. Please select with which to proceed."
 
@@ -256,31 +256,39 @@ msgstr ""
 msgid "Failed to select credential from device."
 msgstr "Failed to select credential from device."
 
-#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:358
+#: src/gui/view_model/mod.rs:298 src/gui/view_model/mod.rs:363
 msgid "No matching credentials found on this authenticator."
 msgstr "No matching credentials found on this authenticator."
 
-#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:362
+#: src/gui/view_model/mod.rs:302 src/gui/view_model/mod.rs:367
 msgid ""
 "No more PIN attempts allowed. Try removing your device and plugging it back "
 "in."
 msgstr ""
 "No more PIN attempts allowed. Try removing your device and plugging it back "
 "in."
 
-#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:366
+#: src/gui/view_model/mod.rs:306 src/gui/view_model/mod.rs:371
 msgid ""
 "This server requires your device to have additional protection like a PIN, "
 "which is not set. Please set a PIN for this device and try again."
 msgstr ""
 "This server requires your device to have additional protection like a PIN, "
 "which is not set. Please set a PIN for this device and try again."
 
-#: src/gui/view_model/mod.rs:315 src/gui/view_model/mod.rs:375
+#: src/gui/view_model/mod.rs:310 src/gui/view_model/mod.rs:375
+msgid ""
+"The entered PIN violates the PIN-policy of this device (likely too short). "
+"Please try again."
+msgstr ""
+"The entered PIN violates the PIN-policy of this device (likely too short). "
+"Please try again."
+
+#: src/gui/view_model/mod.rs:320 src/gui/view_model/mod.rs:385
 msgid "This credential is already registered on this authenticator."
 msgstr "This credential is already registered on this authenticator."
 
-#: src/gui/view_model/mod.rs:424
+#: src/gui/view_model/mod.rs:434
 msgid "Something went wrong. Try again later or use a different authenticator."
 msgstr ""
 "Something went wrong. Try again later or use a different authenticator."
diff --git a/credentialsd-ui/src/gui/view_model/gtk/mod.rs b/credentialsd-ui/src/gui/view_model/gtk/mod.rs
@@ -213,6 +213,7 @@ impl ViewModel {
                                     view_model.set_start_setting_new_pin_visible(matches!(
                                         &error,
                                         ViewUpdateFailure::PinNotSet(_)
+                                            | ViewUpdateFailure::PinPolicyViolation(_)
                                     ));
                                     // These are already gettext messages
                                     view_model.set_prompt(error.into_string());
diff --git a/credentialsd-ui/src/gui/view_model/mod.rs b/credentialsd-ui/src/gui/view_model/mod.rs
@@ -305,6 +305,11 @@ impl<F: FlowController + Send> ViewModel<F> {
                                 Error::PinNotSet => ViewUpdateFailure::PinNotSet(gettext(
                                     "This server requires your device to have additional protection like a PIN, which is not set. Please set a PIN for this device and try again.",
                                 )),
+                                Error::PinPolicyViolation => {
+                                    ViewUpdateFailure::PinPolicyViolation(gettext(
+                                        "The entered PIN violates the PIN-policy of this device (likely too short). Please try again.",
+                                    ))
+                                }
                                 Error::AuthenticatorError | Error::Internal(_) => {
                                     ViewUpdateFailure::GeneralFailure(gettext(
                                         "Something went wrong while retrieving a credential. Please try again later or use a different authenticator.",
@@ -365,6 +370,11 @@ impl<F: FlowController + Send> ViewModel<F> {
                                 Error::PinNotSet => ViewUpdateFailure::PinNotSet(gettext(
                                     "This server requires your device to have additional protection like a PIN, which is not set. Please set a PIN for this device and try again.",
                                 )),
+                                Error::PinPolicyViolation => {
+                                    ViewUpdateFailure::PinPolicyViolation(gettext(
+                                        "The entered PIN violates the PIN-policy of this device (likely too short). Please try again.",
+                                    ))
+                                }
                                 Error::AuthenticatorError | Error::Internal(_) => {
                                     ViewUpdateFailure::GeneralFailure(gettext(
                                         "Something went wrong while retrieving a credential. Please try again later or use a different authenticator.",
diff --git a/credentialsd/src/credential_service/nfc.rs b/credentialsd/src/credential_service/nfc.rs
@@ -8,7 +8,7 @@ use libwebauthn::{
     pin::PinManagement,
     proto::CtapError,
     transport::{nfc::device::NfcDevice, Channel, Device},
-    webauthn::{Error as WebAuthnError, WebAuthn},
+    webauthn::{Error as WebAuthnError, PlatformError, WebAuthn},
     UvUpdate,
 };
 use tokio::sync::broadcast;
@@ -261,6 +261,9 @@ async fn handle_events(
             .map_err(|err| match err {
                 WebAuthnError::Ctap(CtapError::PINAuthBlocked) => Error::PinAttemptsExhausted,
                 WebAuthnError::Ctap(CtapError::PINNotSet) => Error::PinNotSet,
+                WebAuthnError::Platform(PlatformError::PinTooShort)
+                | WebAuthnError::Platform(PlatformError::PinTooLong)
+                | WebAuthnError::Ctap(CtapError::PINPolicyViolation) => Error::PinPolicyViolation,
                 WebAuthnError::Ctap(CtapError::NoCredentials) => Error::NoCredentials,
                 WebAuthnError::Ctap(CtapError::CredentialExcluded) => Error::CredentialExcluded,
                 _ => Error::AuthenticatorError,
diff --git a/credentialsd/src/credential_service/usb.rs b/credentialsd/src/credential_service/usb.rs
@@ -11,7 +11,7 @@ use libwebauthn::{
         hid::{channel::HidChannelHandle, HidDevice},
         Channel, Device,
     },
-    webauthn::{Error as WebAuthnError, WebAuthn},
+    webauthn::{Error as WebAuthnError, PlatformError, WebAuthn},
     UvUpdate,
 };
 use tokio::sync::broadcast;
@@ -351,6 +351,9 @@ async fn handle_events(
             .map_err(|err| match err {
                 WebAuthnError::Ctap(CtapError::PINAuthBlocked) => Error::PinAttemptsExhausted,
                 WebAuthnError::Ctap(CtapError::PINNotSet) => Error::PinNotSet,
+                WebAuthnError::Platform(PlatformError::PinTooShort)
+                | WebAuthnError::Platform(PlatformError::PinTooLong)
+                | WebAuthnError::Ctap(CtapError::PINPolicyViolation) => Error::PinPolicyViolation,
                 WebAuthnError::Ctap(CtapError::NoCredentials) => Error::NoCredentials,
                 WebAuthnError::Ctap(CtapError::CredentialExcluded) => Error::CredentialExcluded,
                 _ => Error::AuthenticatorError,
